DECEPTION TO ENHANCE ENDPOINT DETECTION AND RESPONSE

WHITEPAPER

DECEPTION TO ENHANCE ENDPOINT DETECTION AND RESPONSE

www.attivonetworks.comWhitepaper 2ANWP041619

EXECUTIVE SUMMARYEndpoint Detection and Response (EDR) systems have become more popular as the technology has advanced. As a result, organizations have shifted their security focus, and budget, to bolstering internal endpoint defenses and away from defending the perimeter. This paper will delve into how deception technology complements EDR to make an organization’s internal defenses more robust, complementing existing technologies and improving overall security.

ENDPOINT DETECTION AND RESPONSE The threat landscape is ever changing and the days of being able to rely exclusively on perimeter defenses are long gone. Cybersecurity professionals have known for some time that sophisticated attackers can routinely bypass perimeter defenses, consistently slipping through to move unseen through their target’s environment, putting a premium on defending the environment internally. This has lead many security practitioners take the position of an “assumed breach,” leading directly to many organizations hardening their security stacks with additional layers of defense inside the perimeter. EDR tools evolved as a direct response to this new paradigm, reacting to the increasingly challenging threat landscape created by the latest generation of sophisticated attacks. Over time, EDR has become a crucial interior layer in a “Defense-in-Depth” strategy.

EDR is more than just a single product or a single set of tools. The term covers a range of capabilities that combines monitoring, analysis, reporting, response, and forensic functions into a suite of defenses designed to thwart highly skilled attackers. By placing sensors and response capability on the endpoints, these systems are positioned to identify and stop an attacker while they are in play, where the forensic capabilities in many EDR solutions give an organization the tools needed to analyze an attack to gather adversary intelligence. This also provides the ability to identify potential targets and weaknesses in their existing defenses.

However, skilled attackers have demonstrated that it is possible for them to evade modern EDR systems, much as they previously demonstrated an ability to bypass perimeter defenses. Securing the interior with a full Defense in Depth strategy requires more. An organization must consider other techniques, and solutions, when reviewing their defenses. This is where deception technology, to enhance and complement existing EDR and perimeter solutions, comes into play.


DECEPTION TO ENHANCE EDR

Fundamentally, deception is the art and science of tricking adversaries into believing that what they are seeing is real

when it is not. Camouflage, decoys, and bait, are all a part of this art. Hunters have used decoys and deception for

centuries. Law enforcement and the military use it routinely to outwit threats and gain intelligence; seventy years ago,

the military was building fake airfields, deploying inflatable tanks, and using other tricks to deceive their opponents to

devastating effect.1

In the context of cybersecurity, deception is a

way to alter the apparent attack surface to both

obscure vulnerable targets and to lead attackers

into traps that immediately detect their

presence. Deception is equally effective against

a skilled, live, attacker, or their automated tools.

Generally, deception techniques fall into two

primary realms: Endpoint and Network. Each of

these large realms is subdivided into additional

areas including data, application, and database.

Deception in these realms cover different

aspects of the environment, providing a range

of benefits that complement and enhance an

organization’s overall security posture.

Endpoint deception includes deceptive credentials, false shares, decoy documents, and other assets that appear

on local systems. Given current attack methodology, an endpoint is usually the ingress point for an attacker and

thisis where they will start their reconnaissance and make efforts to escalate their privileges. Deceptive

credentials and assets placed on the endpoint work to direct attackers away from production assets and into the

deception environment where they can be observed and contained.

Network deception includes decoy systems, servers, and services, that appear indistinguishable from genuine

production assets, and can include IoT, SCADA, telecommunications, and other non-computing assets in the mix.

1 https://ghostarmy.com/

Deceptive credentials act as breadcrumbs to lead attackers to decoys on the network that record their attacks.

Hidden mapped drives that lead to decoy server shares detect attacks trying to spread across the network.

Deceptive security access tokens and keys detect attacks targeting cloud or remote infrastructure.


With live assets obscured behind a haze of indistinguishably identical decoys, an attacker will find themselves in

a virtual minefield where mistakes will immediately alert the security operations team to their presence.

Combined with EDR, deception technology adds substantial value and dramatically improves an organization’s

defenses, with notable enhancements in several main areas: In-network threat detection, endpoint discovery,

visibility, and tracking, information sharing, and automated incident response.

IN-NETWORK THREAT DETECTIONDeception Technology enhances EDR defenses by quickly detecting active threats that are moving laterally within

the network. Whether an attacker is performing simple reconnaissance, using stolen credentials to access other

assets, or trying to execute other sophisticated attacks, a comprehensive deception solution makes their task

radically more difficult.

Attackers use a range of tools to enter a target network, usually breaching an endpoint and expanding outward

from there. This makes detecting their spread the first step in keeping an initial compromise from escalating into

a full-scale breach. Endpoint deception strategies include placing breadcrumbs in the form of fake credentials, file

shares, mimicked services, and decoy data that can quickly lure attackers away from production assets and into the

deception environment where their actions are recorded and studied without their knowledge. Even if an attacker

can evade an EDR solution and access host resources, they will not be able to separate deceptive assets from the

real ones, increasing the likelihood of them being detected very early in the attack cycle.

The strategy is similar across the network. By creating a synthetic attack surface based on skillfully crafted

decoys designed to mirror production assets, organizations create an environment where an attacker is unable to


differentiate between decoy and real devices. This not only redirects them away from legitimate targets, but also

proactively lures them into engaging with the deception environment. Any contact there raises a high-fidelity alert

and reveals the attacker’s presence.

Since any use of a deceptive credential or contact with a decoy asset is significant, using deception for detection

and visibility results in virtually zero false positives – any contact is a misconfiguration, policy violation, or malicious

action. By providing the incident response team substantiated events, they become significantly more efficient

and effective.

NETWORK VISIBILITY, ENDPOINT DISCOVERY, AND TRACKING Modern deception solutions use machine

learning to create authentic deceptions,

decoys, and lures, by identifying and

cataloging assets on the network and

tracking them as they move. This capability

has also proven invaluable for detecting

unauthorized personal devices, IoT, network,

telecommunication, and other, less-secure,

devices entering the network – including

devices added with malicious intent2. In

addition to device visibility, modern platforms

also include the ability to alert on exposed

credential attack paths.

Exposed and orphaned credentials, along with system misconfigurations, are often the opening needed for an

attacker to gain a foothold after their initial intrusion. Topographical network maps and tabular displays that visualize

credential pathways an attacker could leverage is a powerful tool. That level of visibility leads to insights into the

environment that not only reduce risk, but eliminates hours of manual processing work. The ability to track devices as

they move around the environment provides additional benefits for both security and operations

2 https://attivonetworks.com/darkvishnya/

The DarkVishnya threat, reported in late 2018 primarily affecting financial institutions in Eastern Europe, utilized small physical devices placed on a target’s network to give attackers back door access to the target environment. Various forms of this attack have existed for many years, utilized by attackers and penetration testers alike. A modern deception system would catalogue these attack devices and deceive an attacker using them into the deception environment, mitigating the threat.


INFORMATION SHARING Leveraging high-interaction decoys, security teams can gather detailed forensic analysis on their attackers.

Following the initial detection, deception technology safely collects and automatically correlates attacker TTPs

(tactics, techniques, and procedures), IOCs (indicators of compromise), and provides counterintelligence for insight

into the attacker’s capabilities, goals, and target information – what assets they are trying to compromise, exfiltrate,

or damage. Integrating the deception solution with the rest of the security stack provides additional advantages;

sharing IOC information with the EDR solution and other 3rd party systems accelerating incident response and

remediation, and providing additional data for threat hunting.

AUTOMATED INCIDENT RESPONSEBy natively integrating with 3rd party security solutions, deception technology can provide automated incident

response, reducing reaction times for critical, high-severity, alerts. With these native integrations, security teams

can take full advantage of their existing security stack, setting the deception platform to automatically trigger

endpoint isolation, blocking, and threat hunting. This saves critical time in stopping the spread of an attack and

the harm it can inflict.

Coupled with EDR on the endpoints and conventional perimeter defenses, a deception platform complements and

enhances an organization’s Defense-in-Depth strategy, making an attacker’s job radically more difficult, and can

serve as a deterrent that drives them to pursue an easier target.

THE ATTIVO THREATDEFEND SOLUTIONThe Attivo Networks® ThreatDefend Platform™ is the industry leading deception technology solution, providing

state of the art deception that is easy to deploy, use, scale, and is available across a range of physical, virtual,

and cloud platforms.

Offering a comprehensive range of deception to cover both endpoints and the network, as well as extensive

native integrations with 3rd party security applications, the ThreatDefend Platform is a natural complement to

an organization’s EDR solution. Where EDR provides detection and reaction capabilities on the endpoint, Attivo’s

deception technology extends an organization’s visibility across their environment to comprehensively enhance

their capabilities.


At the heart of the Attivo Networks ThreatDefend platform is the BOTsink® server. The BOTsink server hosts decoys,

performs threat analysis, creates and anchors deceptive credentials and endpoint lures, coordinates automated

responses with integrated 3rd party solutions, and provides the user interface to manage the deception solution.

The BOTsink server is available as a physical or virtual appliance, or a cloud instance, giving the versatility an

organization needs to deploy in a modern distributed environment.

To extend deception capabilities into microsegmented networks or remote locations, including remote offices,

datacenters, or cloud environments, Attivo Networks includes the ThreatDirect™ feature. This feature empowers

an organization to easily and efficiently project BOTsink server hosted decoys across their entire environment.

To extend deception onto the endpoints, where an attacker often gets their first foothold, Attivo Networks offers

the ThreatStrike® Endpoint Suite. This solution places convincing lures and breadcrumbs, including deceptive

credentials that lead attackers toward decoy assets and away from production assets, deceptive shares that can

divert an attacker and catch malware infections as they attempt to spread, and decoy documents that are tagged

for geolocation if they are exfiltrated or viewed. It also includes the capability to extract memory forensics from the

host. The ThreatStrike function is lightweight and does not utilize an on-host agent, allowing for seamless work with

EDR systems without the issue of performance impact on protected hosts. For distribution and maintenance, the

ThreatStrike™ solution leverages existing management tools, adding minimal overhead to the security

team’s workload.

The ThreatPath® solution provides visualization of credential trust relationships and potential pathways an attacker

could use to move laterally across the environment. This visibility makes it easier for the security operations team

to understand potential vulnerabilities in their space and reduce the attack surface.

1Attivo© 2018 Attivo Networks. All rights reserved.

Active DefenseAnalysis, Forensics, Incident Response

Native IntegrationsAutomated Actions

Early Detection & VisibilityAll Threats & Attack Surfaces

CloudNetwork

Endpoint

Lateral Movement Credential Theft

© 2019 Attivo Networks. All rights reserved. Attivo Networks, ThreatDefend, and ThreatPath are registered trademarks of Attivo Networks, Inc.

Follow us on Twitter @attivonetworks Facebook | LinkedIn: Attivo Networks

ANWP041619 www.attivonetworks.com

The ThreatDefend platform offers native integration with a broad range of EDR and other security solutions, making

a powerful combination. To leverage that integration, the ThreatOps™ solution gives the response team the tools to

initiate automated responses to a large variety of attacks, quarantine or isolate a system, activate endpoint defense

and forensics, and generate service tickets to aid in remediation. These repeatable playbooks reduce remediation

times and improves both effectiveness and efficiency for the incident response team.

SUMMARY The relative ease with which sophisticated attackers learned to bypass perimeter defenses has shifted the focus

of detection and defense inside the network, leading to more advanced defensive techniques such as EDR. Deception

technologies enhance these endpoint defenses by diverting attackers away from production assets into heavily

instrumented decoys, creating an artificial attack surface that obscures the actual attack surface and reduces the

risk of credential exposure. These decoys and lures deliver high-fidelity alerts, gather attack intelligence, and provide

integrations to automate responses.

Deception technology is effectively “sleight of hand” for your environment, diverting attackers away from production

assets and strengthening the other components of your cybersecurity stack. Coupled with EDR on the endpoints and

conventional perimeter defenses, a deception suite enhances your defense-in-depth strategy and makes an attacker’s

job radically more difficult, substantially altering their attack economics and giving defenders the advantage.

ABOUT ATTIVO NETWORKS Attivo Networks®, the leader in deception technology, provides an active defense for early detection, forensics,

and automated incident response to in-network attacks. The Attivo ThreatDefend™ Deception Platform provides

a comprehensive and customer-proven platform for proactive security and accurate threat detection within user

networks, data centers, clouds, and a wide variety of specialized attack surfaces. The portfolio includes expansive

network, endpoint, application, and data deceptions designed to efficiently misdirect and reveal attacks from all

threat vectors. Advanced machine-learning makes preparation, deployment, and operations fast and simple to operate

for organizations of all sizes. Comprehensive attack analysis and forensics provide actionable alerts, and native

integrations automate the blocking, quarantine, and threat hunting of attacks for accelerated incident response.

The company has won over 80 awards for its technology innovation and leadership. For more information,

visit www.attivonetworks.com.

DECEPTION TO ENHANCE ENDPOINT DETECTION AND RESPONSE

Documents

Transcript of DECEPTION TO ENHANCE ENDPOINT DETECTION AND RESPONSE